fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()

The "index + count" addition can overflow. Both come directly from the user. This bug leads to an information leak. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: Peter Malone <peter.malone@gmail.com> Cc: Philippe Ombredanne <pombredanne@nexb.com> Cc: Mathieu Malaterre <malat@debian.org> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>

fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()
The "index + count" addition can overflow. Both come directly from the user. This bug leads to an information leak. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: Peter Malone <peter.malone@gmail.com> Cc: Philippe Ombredanne <pombredanne@nexb.com> Cc: Mathieu Malaterre <malat@debian.org> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
e5017716 · Dan Carpenter · Bartlomiej Zolnierkiewicz · d8bad911 · e5017716
Commit e5017716 authored Oct 08, 2018 by Dan Carpenter Committed by Bartlomiej Zolnierkiewicz Oct 08, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/video/fbdev/sbuslib.c drivers/video/fbdev/sbuslib.c +1 -1

No files found.
--- a/drivers/video/fbdev/sbuslib.c
+++ b/drivers/video/fbdev/sbuslib.c
@@ -171,7 +171,7 @@ int sbusfb_ioctl_helper(unsigned long cmd, unsigned long arg,
 		    get_user(ublue, &c->blue))
 			return -EFAULT;
-		if (index + count > cmap->len)
+		if (index > cmap->len || count > cmap->len - index)
 			return -EINVAL;
 		for (i = 0; i < count; i++) {